The development of the EDVAC computer system of 1948 is often cited as the beginning of the computer era. Since that time, computer systems have evolved into extremely sophisticated devices, and computer systems may be found in many different settings. Computer systems typically include a combination of hardware (such as semiconductors, integrated circuits, programmable logic devices, programmable gate arrays, and circuit boards) and software, also known as computer programs.
Years ago, computers were isolated devices that did not communicate with each other. But, today computers are often connected in networks, such as the Internet or World Wide Web, and a user at one computer, often called a client, may wish to access information at multiple other computers, often called servers, via a network.
As computers have become more and more connected via networks, computers have become increasingly at risk for contracting computer viruses. A computer virus may be any malicious, unauthorized, or otherwise dangerous computer program or piece of code that “infects” a computer and performs undesirable activities in the computer. Some computer viruses are simply mischievous in nature. But, other viruses can cause a significant amount of harm to a computer and/or its user, including stealing private data, deleting data, clogging the network with many emails or transmissions, and/or causing a complete computer failure. Some viruses even permit a third party to gain control of a user's computer outside of the knowledge of the user, while others may utilize a user's computer in performing malicious activities such as launching denial-of-service attacks against other computers.
Viruses can take many different forms and can be spread in a wide variety of manners, e.g., as email attachments, macros or scripts, Trojan horses, worms, logic bombs, etc., all of which, for the purposes herein, will be referred to hereinafter as “viruses”. Often, a virus will hide in, or “infect”, an otherwise healthy computer program, so that the virus will be activated when the infected computer program is executed. Viruses typically also have the ability to replicate and spread to other computer programs, as well as other computers.
To address the risks associated with viruses, significant efforts have been directed toward the development of anti-virus computer programs that attempt to detect and/or remove viruses that attempt to infect a computer. Such efforts have resulted in a continuing competition where virus creators continually attempt to create increasingly sophisticated viruses, and anti-virus developers continually attempt to protect computers from new viruses.
One capability of many conventional anti-virus programs is the ability to perform virus checking on virus-susceptible computer files after the files have been received and stored in a computer, e.g., after downloading emails or executable files from the Internet. Server-based anti-virus programs are also typically used to virus check the files accessible by a server. Such anti-virus programs, for example, are often used by web sites for internal purposes, particularly download sites that provide user access to a large number of downloadable executable files that are often relatively susceptible to viruses.
There are several well-accepted methods for detecting computer viruses in memory, programs, documents or other potential hosts that might harbor them. One popular method, employed in many anti-virus products, is called “scanning.” A scanner searches (or scans) the potential hosts for a set of one or more (typically several thousand) specific patterns of code called “signatures” that are indicative of particular known viruses or virus families, or that are likely to be included in new viruses. A signature typically consists of a pattern to be matched, along with implicit or explicit auxiliary information about the nature of the match and possibly transformations to be performed upon the input data prior to seeking a match to the pattern. The pattern could be a byte sequence to which an exact or inexact match is to be sought in the potential host. Unfortunately, the scanner must know the signature in order to detect the virus, and malicious persons are continually developing new viruses with new signatures, of which the scanner may have no knowledge.
In an attempt to overcome this problem, other methods of virus detection have been developed that do not rely on prior knowledge specific signatures. These methods include monitoring memory or intercepting various system calls in order to monitor for virus-like behaviors, such as attempts to run programs directly from the Internet without downloading them first, changing program codes, or remaining in memory after execution.
Despite all of these efforts at virus detection, viruses continue to plague computer users. Without a better way to detect computer viruses, users will continue to lose time and money detecting and recovering from malicious viruses.